On 3/25/21 7:11 PM, Salvatore Bonaccorso wrote: > Source: ceph > Source-Version: 14.2.18-1 > > On Mon, Mar 22, 2021 at 11:17:02AM +0100, Moritz Muehlenhoff wrote: >> On Mon, Mar 22, 2021 at 10:11:29AM +0100, Thomas Goirand wrote: >>> On 3/21/21 7:59 PM, Moritz Muehlenhoff wrote: >>>> Package: ceph >>>> Severity: important >>>> Tags: security >>>> X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> >>>> >>>> CVE-2020-27781 >>>> https://bugs.launchpad.net/manila/+bug/1904015 >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1900109 >>>> https://github.com/ceph/ceph/commit/1b8a634fdcd94dfb3ba650793fb1b6d09af65e05 >>>> (octopus) >>>> https://github.com/ceph/ceph/commit/7e3e4e73783a98bb07ab399438eb3aab41a6fc8b >>>> (nautilus) >>>> https://github.com/ceph/ceph/commit/956ceb853a58f6b6847b31fac34f2f0228a70579 >>>> (luminous) >>>> >>>> CVE-2020-27839 >>>> https://tracker.ceph.com/issues/44591 >>>> https://github.com/ceph/ceph/pull/38259 >>>> https://github.com/ceph/ceph/commit/23f2604d6f9ac16779b4ac43aab6e4e434f2e8ec >>>> >>>> Cheers, >>>> Moritz >>>> >>> >>> Hi Moritz, >>> >>> To me, these issues were fixed in 14.2.16, which is already in >>> unstable/bullseye, and aslo in Buster backports. It matches what I have >>> in memory (but I'm not 100% sure). >>> >>> I tried applying the above patches, and that's how it felt too. >> >> I can confirm that CVE-2020-27781 is fixed in sid, >> 7e3e4e73783a98bb07ab399438eb3aab41a6fc8b >> landed in v14.2.16 and thus in unstable. I've updated the Security Tracker. >> >> But CVE-2020-27839 was fixed in the nautilus branch in >> 843b2e9cd4cb996165d1818ebff125f1414f90c5 >> which only ended up in v14.2.17 and is thus missing in unstable/testing. >> Right? > > And so adressed it looks with the 14.2.18-1 upload to unstable, > marking the bug as such fixed. > > Regards, > Salvatore
Yeah, and I forgot to close the bug... :/ I'll upload to Backports soon... Thomas
